Getshortcodes: >> Shortcodes Ultimate >> 3.0 Security Vulnerabilities
The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
CVSS Score
5.4
EPSS Score
0.002
Published
2021-09-20
The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode.
CVSS Score
9.8
EPSS Score
0.089
Published
2019-08-22
Directory traversal vulnerability in Shortcodes Ultimate prior to version 4.10.0 allows remote attackers to read arbitrary files via unspecified vectors.
CVSS Score
5.0
EPSS Score
0.006
Published
2017-07-07
Page 3